The msvidctl Internet Explorer 0day

As you’ve probably already heard, there’s a dangerous vulnerability in Internet Explorer 6 & Internet Explorer 7 being exploited in the wild. The vulnerability affects Windows XP Service Pack 0 to Service Pack 3. Microsoft hasn’t released a patch yet, but they have provided a work-around.

Some people have simply recommended turning off JavaScript to mitigate this issue. However this vulnerability is a trivial buffer overflow which makes it possible to overwrite the SEH handler. Thus, heap spraying is not required and turning off JavaScript only mitigates attacks from less skilled attackers. I put a bit of time into researching this -it very quickly became clear that this vulnerability doesn’t rely on JavaScript, i.e. it can be exploited with JavaScript turned off:

The vulnerability allows arbitrary code execution and we therefore strongly recommend that you should apply the workaround from Microsoft’s advisory or turn off ActiveX altogether. Otherwise you will be at risk of exploitation of Internet Explorer 6 and Internet Explorer 7.

We’ve added generic detection for the actual exploit as Exploit.Win32.Direktshow and the often accompanying JavaScript as Exploit.JS.Direktshow.

(08.07, 15.04: edited to correct typo in the Service Pack information.)

I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.